I haven't done much in web security before but am now in need to prevent a form from being submitted from anything but my own domain.

I know how to lock this down in an .htaccess file but the referrer isn't very reliable from what I've understood.

I'm now looking into nonces. I've set up a nonce on my form which works (I'm using Wordpress so creating nonce fields are easy).

What I now need to know is does this actually help me preventing cross domain submissions?

In my mind it does as you would need my secret key to generate the nonce string but on the other hand the nonce string is visible in the page source. Does that mean you would need my secret key again to translate the nonce string to validate it?

1 Answer
1

Preventing form submissions from another source is a solved problem, and using a nonce is one of the recommended methods.

For some background, there's a form of attack against web applicaitons known as Cross-Site Request Forgery (XSRF). A cross-site request forgery, in simplest terms, is when someone loads javascript on a malicious page that makes posts to another page. There is more to it than that, and if you're unfamiliar with CSRF, I strongly recommend reading up on it. (See Jeff Atwood's article in addition to the OWASP article I linked to above.)

The good news is that many web development frameworks alrady have pre-built mechanisms to prevent XSRF attaks, and they do so by ensuring that posts come from your own domain. Again, using a nonce is one of those methods.

From the OWASP page on XSRF:

Related Controls

Add a per-request nonce to URL and all forms in addition to the standard session. This is also referred to as "form keys". Many
frameworks (ex, Drupal.org 4.7.4+) either have or are starting to
include this type of protection "built-in" to every form so the
programmer does not need to code this protection manually.

TBD: Add a per-session nonce to URL and all forms

At the bottom of the OWASP page are several references including links to already-agailable mechanims for addressing this, including the OWASP CSRF Guard , which is J2EE, .NET, and PHP Filters which append a unique request token to each form and link in the HTML response in order to provide universal coverage against CSRF throughout your entire application.